CN105981331A - An entity handle registry to support traffic policy enforcement - Google Patents
An entity handle registry to support traffic policy enforcement Download PDFInfo
- Publication number
- CN105981331A CN105981331A CN201580007364.5A CN201580007364A CN105981331A CN 105981331 A CN105981331 A CN 105981331A CN 201580007364 A CN201580007364 A CN 201580007364A CN 105981331 A CN105981331 A CN 105981331A
- Authority
- CN
- China
- Prior art keywords
- network
- network entity
- entry
- network traffic
- entity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 claims description 130
- 230000008569 process Effects 0.000 claims description 85
- 230000004044 response Effects 0.000 claims description 27
- 230000015654 memory Effects 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 13
- 230000003068 static effect Effects 0.000 claims description 9
- 230000008685 targeting Effects 0.000 claims 1
- 238000003860 storage Methods 0.000 description 48
- 238000005516 engineering process Methods 0.000 description 32
- 238000007726 management method Methods 0.000 description 29
- 230000008859 change Effects 0.000 description 19
- 238000004891 communication Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 11
- 238000013507 mapping Methods 0.000 description 11
- 238000013500 data storage Methods 0.000 description 10
- 238000004364 calculation method Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 230000007246 mechanism Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 230000002093 peripheral effect Effects 0.000 description 4
- 230000000712 assembly Effects 0.000 description 3
- 238000000429 assembly Methods 0.000 description 3
- 239000003607 modifier Substances 0.000 description 3
- 230000005641 tunneling Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000014759 maintenance of location Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- VEMKTZHHVJILDY-UHFFFAOYSA-N resmethrin Chemical compound CC1(C)C(C=C(C)C)C1C(=O)OCC1=COC(CC=2C=CC=CC=2)=C1 VEMKTZHHVJILDY-UHFFFAOYSA-N 0.000 description 2
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 2
- 241000406668 Loxodonta cyclotis Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000033228 biological regulation Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 239000012530 fluid Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 210000003127 knee Anatomy 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 230000001568 sexual effect Effects 0.000 description 1
- 238000000547 structure data Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/50—Network service management, e.g. ensuring proper service fulfilment according to agreements
- H04L41/5003—Managing SLA; Interaction between SLA and QoS
- H04L41/5019—Ensuring fulfilment of SLA
- H04L41/5022—Ensuring fulfilment of SLA by giving priorities, e.g. assigning classes of service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0894—Policy-based network configuration management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0895—Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/40—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/50—Network service management, e.g. ensuring proper service fulfilment according to agreements
- H04L41/5029—Service quality level-based billing, e.g. dependent on measured service level customer is charged more or less
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A provider network may implement network entity registry for network entity handles included in network traffic policies enforced for a provider network. Network entity entries may be maintained in a network entity registry that specify network address information for network entity handles included in network traffic control policies. Network traffic control policies may be enforced by a network traffic controller. When an update to an network entity entry is received, the network entity entry may be updated and network address information specified in the network entity entry may be provided to a subset of network traffic controls implemented in a provider network for those network traffic controls enforcing network traffic policies including the network entity handle for the updated network entity entry. Network entity entries may, in some embodiments, not be updated by a network entity entry owner.
Description
Background technology
Appearance for the Intel Virtualization Technology of commercial hardware has been for having all of diversified demand
Many clients provide the benefit about management large-scale calculations resource, thus permission is had by multiple clients
Imitate ground and share various calculating resource safely.Such as, Intel Virtualization Technology can allow by often
One user the one or more virtual machines managed on behalf of another by single physical computing machine are provided and many
(this virtual machine of each of which acts as solely to share single physical computing machine in the middle of individual user
The software simulation of special logic computing system, described unique logic computing system provides described to user
User is the sole operators of given hardware computing resource and gerentocratic illusion), the most also exist
Application program isolation and safety are provided in the middle of each virtual machine.As another example, virtualization
Technology can allow by each user is provided and can be distributed across multiple data storage devices
Virtualization data storage and in the middle of multiple users share data storage hardware, each of which this
Planting virtualization data storage and serve as unique logical data storage, described unique logical data storage is right
User provides described user to be the sole operators of data storage resource and gerentocratic illusion.
Available Intel Virtualization Technology creates many different types of services, or for client system
System or device perform difference in functionality.Such as, virtual machine can be used to perform for external client
Network service, such as e-commerce platform.It is also possible to use virtual machine with for inside
Client's service implementation or instrument, be such as implemented as the information technology of the part of company's internal network
(IT) service.Therefore, network traffics can be directed to these virtual machines to perform by profit
The various functions provided by the services or functionalities of virtual machine execution or task.In order to ensure to
The network traffics received at virtual machine perform authorized or controlled access, and control can be used past
Return the network traffics policy of the network traffics of virtual machine.Because virtual machine operates in
Network environment can change, so network traffics policy can change accordingly.But, right in enforcement
When being varied multiple times of network traffics policy, for one group of variation virtual machine that its quantity is scalable
Device management Flow Policy can be proved to be heavy.
Accompanying drawing explanation
Fig. 1 be illustrate Network entity registers table in a network according to some embodiments and
The figure of multiple network entities.
Fig. 2 is illustrate according to some embodiments real to the network in Network entity registers table
The data flowchart of the renewal of body entry.
Fig. 3 is network entity entry according to some embodiments is described, to include at network entity
The network traffics policy of reason and the block diagram of the example of secure group.
Fig. 4 is that performing at control of network flow quantity device according to some embodiments is described
The network entity that includes of network traffics policy process and implement the virtual of Network entity registers table
Calculate the block diagram of resource provider.
Fig. 5 be illustrate according to some embodiments by the network traffics for virtualized host
The block diagram that the network traffics that controller is carried out process.
Fig. 6 is that network entity entry owner according to some embodiments, network entity are described
Mutual block diagram in the middle of entry modifier and Network entity registers table.
Fig. 7 is that traffic sources, control of network flow quantity device and the network according to some embodiments is described
Mutual block diagram in the middle of registers entities table.
Fig. 8 be illustrate according to some embodiments for for holding for supplier's network
The network entity that the network traffics policy of row includes processes implements each of Network entity registers table
The method of kind and the high level flow chart of technology.
Fig. 9 be illustrate according to some embodiments for obtaining from network entity entry owner
Must be to the various methods of the approval of the renewal of network entity entry and the high level flow chart of technology.
Figure 10 be illustrate according to some embodiments for registered network flow controller to connect
The narrowing net to the network entity process to the network entity entry in Network entity registers table
The various methods of network address information and the high level flow chart of technology.
Figure 11 be illustrate according to some embodiments for obtain for update network entity bar
The various methods of purpose given network address information and the high level flow chart of technology.
Figure 12 is the block diagram that the exemplary computer system according to some embodiments is described.
Although describing some embodiments of embodiment and illustrative figure herein by example
Formula, but one of ordinary skill in the art are it will be appreciated that described embodiment is not limited to described enforcement
Scheme or graphic.It is not intended to be limited to embodiment institute it will be appreciated that graphic with its detailed description
Disclosed particular form, but on the contrary, it is intended to be to contain to belong to as defined by the appended patent claims
The all modifications of spirit and scope, equivalent and substitute.Title used herein is only
For organizational goal and be not intended to for limit the present invention describe or the scope of claims.
As throughout used in this application, permissive sense (i.e., it is intended that have ... probability) rather than
Mandatory meaning (i.e., it is intended that must) upper use words "available".Similarly, words " includes
(include, including and includes) " mean to include but not limited to.
Detailed description of the invention
According to some embodiments, system and method described herein can be for for offer
The network entity that the network traffics policy that person's network performs includes processes implements network entity note
Volume table.Supplier's network can be one or more for reply to client, operator or other client
Calculate access and/or the control of resource.These resources can include being configured to pass through network service
Various types of calculating systems or device.Such as, in some embodiments, it is provided that person's net
Network can by retain virtual computing resource is provided in the way of calculated examples client, user or its
The client of its type (such as, serves as the virtual machine of unique logic computing system, described uniqueness
User is provided described user to be the sole operation giving hardware computing resource by logic computing system
Person and gerentocratic illusion).The client of supplier's network can retain (that is, buys (purchase
Or buy)) one or more calculating resources (such as calculated examples) with perform various function,
Service, technology and/or application.As performing these functions, service, technology and/or application
Part, can calculate Energy Resources Service in difference and allow, forbid or otherwise managing network flow.
Such as, e-commerce website is provided one group of calculating resource (the most multiple service of authentication service
Device) the only acceptable network traffics from one group of specific Internet protocol (IP) address.Can be
Described in network traffics policy, this retrains, allows, forbids or other control of network flow quantity (example
As, " ALLOW on port x from the flow of IP address Y ").Supplier's client can
Configuration network traffics policy is to perform same action for multiple calculating resources, thus is formed and be used for
The secure group of multiple calculating resources.Secure group can apply multiple control of network flow quantity policy, and it continues
And can have one or more network flow control policy.
Utilize the supplier's client calculating resource may utilize and can obtain the spirit that new resources are possessed
Activity.Virtual computing resource can be scaled rapidly such as to meet such as implementing quickly to increase
The demand of supplier's client of web service.Along with calculated examples quantity increases, management difference
Safety policy and secure group can become complicated and time-consuming.Such as, calculated examples can belong to multiple not
Same secure group, each in described secure group can perform multiple heterogeneous networks Flow Policy.Pin
To each change of network traffics policy is manually updated each secure group can be proved right
It is expensive for supplier's client and may not allow to change network traffics policy with to changing
Become network traffic condition to react rapidly.
Fig. 1 be illustrate Network entity registers table in a network according to some embodiments and
The figure of multiple network entities.In some embodiments, renewable network traffics policy and its phase
Close secure group, and without manually changing each impacted group or policy.Such as, network flow
Amount policy can include that the network to the network entity entry maintained in Network entity registers table is real
Body processes.As illustrated in Figure 1, in each embodiment, it is provided that person's network 100 can be real
Execute Network entity registers table 120 so that the entry of heterogeneous networks entity had both been maintained supplier's net
Supplier's network 100 is maintained again outside in network 100.Network entity the most can be by data
(that is, network traffics) be sent to other calculating system or device or from other calculating system or
Device receives one or more different calculating systems or the device of data.Network entity can be identified
For (but not limited to) list IP address, such as can recognize that particular host, IP address range, all
Such as subnet (IP address and mask can be included), domain name or the host name of recognizable network, such as
Different IP addresses, various network mechanism (such as virtual private networks (VPN)) can be converted to
End points, different entities group (such as by security set definitions) or location special entity in use
Any out of Memory.In each embodiment, network entity may seem arbitrarily can to seek
Location element or (otherwise) unrelated addressable element.In some embodiments, network entity
Entry can maintain in Network entity registers table 120, and include the network address for entity or
Positional information and process name or identifier.In some embodiments, also can maintain for network
The out of Memory of entity entries, each of such as Net entry (such as, network address information)
The version number of part and/or one or more existing version.The portion of network entity entry can be maintained
When and/or how administration's progress (such as, provides network address information).In some embodiments
In, Network entity registers table 120 also can maintain description execution to include certain entity entry
The control of network flow quantity device of network traffics policy of process or other system, assembly or device
Information.
Such as, network entity 182 single system (or calculates the system of device or network
End points).Such as, Network entity registers table can maintain the entry of network entity 182, and it is specified
For the network address information of network entity 182, the IP address of such as addressable element 122a.
Control of network flow quantity device 122b can be configured to be provided by supplier's network 100 come and go network
The access of addressable element 122a.In another example, network entity 184 can include multiple
Addressable element 124a and 126a (together with its respective control of network flow quantity device 124b and 126b).
Network address information for network entity 184 can include IP address range, or network is real
Body 184 is identified as subnet.(it can the identical son of yes or no also can be maintained addressable element group
Member's (can be identical with network entity 184) of net) the entry of network entity.Such as, net
Network entity 174 includes can being associated together to perform the multiple of public network Flow Policy
Addressable element 132a, 134a and 136a (and its respective control of network flow quantity device 132b,
134b and 136b) secure group.Other calculates system or device to addressable element 132a
The end points of network, and addressable element 134a and the most single addressable calculating system of 136a
Element.Network entity can include varying number and/or size.Network entity 172 e.g. its
Middle 1 addressable element fewer than network entity 174 (addressable element 142a and 144a and
Its respective control of network flow quantity device 142b and 144b) secure group.Supplier's network 100
Outside network entity also can have corresponding entry, because can in Network entity registers table 120
The network traffics 110 from external entity are guided towards the various resources in supplier's network 100.
In each embodiment, Network entity registers table 120 can be implemented as carrying for management
The part of the service of donor network of network Flow Policy.Such as, Network entity registers table can quilt
It is embodied as managing or to coordinate the network flow for the secure group set up for supplier's Internet resources
The part of the Secure group management service of amount policy.Secure group management service can be (all with other service
Such as mapping services or other routing component or service) communication, with will be for network entity entry
Given network address information provide perform control of network flow quantity policy other system.Although
It is illustrated as adjacent to addressable element, but control of network flow quantity device can in some embodiments
Being positioned on separate payment or device, network traffics flow to seek by described system or device
Location element.
Fig. 2 be illustrate according to some embodiments to the network in Network entity registers table
The establishment of entity entries and/or the data flowchart of renewal.At Network entity registers table 220
Register new network entity and/or reception (is illustrated as reality to the renewal of network entity entry 272
Execute the part for Secure group management service 210).Respective at Network entity registers table 220
Entry is made the change corresponding to updating or creates novel entities entry.Various different knot can be used
Structure data storage (such as data base or other storage scheme) store network entity entry.
In some embodiments, new network entity or to network entity entry more can be registered allowing
Certification and the certificate of authority and/or program is met before new.
For updating network entity entry (or new network entity entry), can be by network entity
The network address information specified in entry provides execution to include network entity entry 282
Process the control of network flow quantity policy of (such as, including processing id or other process reference)
Control of network flow quantity device.Control of network flow quantity can be provided by different way by network address information
Device.Such as, in some embodiments, push technology can be implemented, thus receiving or maintaining
Network flow will be sent to for the network address information of network entity entry when renewal or new entry
Amount controller.Such as, Secure group management service 210 can maintain about with specific security group and
The information of the network traffics policy that the member of specific security group is associated.Therefore, can be in secure group
Management services described in 210, enumerates or point out the control of network flow quantity device 252 of secure group A 242,
And be sent to the network address information for network entity entry know based on this information about firms
Other control of network flow quantity device 252.Similarly, for secure group B 244 and secure group C, 246,
Can maintain information about firms, it allows Secure group management service 210 identification to perform the net of secure group B
Network flow controller 254 and the control of network flow quantity device 256 of execution secure group C.Alternately,
In some embodiments, (such as, control of network flow quantity device 252,254 and 256 can ask
Use poll behavior) for the new or renewal network entity bar processed for respective network entity
Purpose network address information.Note that in each embodiment, control of network flow quantity device
252,254 and 256 larger number performing network traffics policy in supplier's network
The subgroup of control of network flow quantity device.Such as, in each embodiment, for new or renewal
Network entity entry performs the described network of the network traffics policy not including that network entity processes
Flow controller can not receive network address information 282.
As discussed above, network traffics policy can include maintaining in Network entity registers table
Network entity entry network entity process.Fig. 3 is that the net according to some embodiments is described
Network entity entries, include the frame of the example of network traffics policy that network entity processes and secure group
Figure.Network entity registers table 310 maintains multiple network entity entry, such as entry 330,332
With 334.Each network entity entry can include for identifying network entity and/or real with network
The network address information for network entity of body communication, such as IP address, IP address range,
Mask and the network address information of other form various.Network entity entry may also include and can include
The network address information for network traffics policy is specified with instruction in network traffics policy
The process of network entity entry, such as processes reference or identifier.In some embodiments,
The version of the particular version (such as, version number or timestamp) identifying network entity entry can be maintained
This identifier.In some embodiments, except control of network flow quantity device can be provided such as to return
Beyond the current entity entry that rollover becomes, also can maintain multiple existing versions of entity entries.
Network traffics policy can implement many different types of control of network flow quantities.Such as, some
Network traffics policy can be configured to allow or forbid flow.Network traffics policy 344a allows
Port 9876 comes the incoming TCP flow amount of automatic network entity handles 340.Network flow simultaneously
Amount policy 344b allow on port 443 to network entity process 344 spread out of TCP flow amount.
It is also possible to use network traffics policy and perform the net as illustrated by network traffics policy 346a
Network flow control (such as throttle-flow), thus such as with specific in network traffics policy 346b
Sequential processing flow or store flow in a specific way.In some embodiments, bag can be used
The network traffics policy of purse rope network entity handles is made the network bandwidth and is adjusted.In network traffics policy
In can include various types of attribute or information, such as specific protocol, port and/or stream
Amount type.As mentioned by the most in FIG, network entity can include multiple system or device with
And subnet, VPN end points, gateway or other release mechanism and group, the most multiple networks are real
The secure group of body.Therefore, network traffics policy can be configured to control with many different modes
From the flow of these entities, and the being not intended to limit property of previous case of therefore network traffics policy.
Network entity processes in the certain entity entry referenced by can processing at network entity
It is expanded with given network address information.Have if such as network entity processes 340
The process reference of " bob_network ", then include the network entity processing " bob_network "
Entry 330 may specify network address information with extension process 340 for perform network traffics political affairs
Plan 344a and 346b.Similarly, network entity processes to have and is also included within network entity bar
Id in mesh 344, such as entity 2ABY1.
In some embodiments, network traffics policy can be associated with specific security group, for
Net is performed for the member of specific security group or all calculating resources of being associated with specific security group
Network Flow Policy.Such as, the calculating resource for the member for secure group 302a performs network
Flow Policy 344a and 344b.Similarly, for for secure group 302b member or
The calculating resource being associated with secure group 302b performs network traffics policy 346a and 346b two
Person.In some embodiments, calculate resource to be associated with multiple secure group.Therefore, special
Devise a stratagem calculates resource (such as specific calculation example) but secure group 302a and the member of 302b.
Note that and be previously described being not intended to limit property, but be provided only as supplier's network, net
Network registers entities table and the example of network traffics policy.Other assemblies various can include pin with execution
Or assistance execution mutual to the network traffics policy of the process of network entity entry includes for net
The network traffics policy of the process of network entity entries.
This specification then includes the general description of virtual computing resource provider, and it can be for bag
Include the network entity in the network traffics policy performed for supplier's network and process enforcement net
Network registers entities table.Then, each example of virtual computing resource provider is discussed, including can
It is used as to implement different components/modules or the components/modules cloth of the part of virtual computing resource provider
Put.Then, the network traffics policy being used for for being included in for the execution of supplier's network is discussed
In network entity process and implement the multiple distinct methods of Network entity registers table and technology, enclose
Flow chart illustrates some in described method and technology.Finally, it is provided that can implement each above
Plant the description of the exemplary computer system of assembly, module, system, device and/or node.Time
And this specification provides each example.
Fig. 4 is that performing at control of network flow quantity device according to some embodiments is described
The network entity that includes of network traffics policy process and implement the virtual of Network entity registers table
Calculate the block diagram of resource provider.Can be arranged by entity (such as company or public sector organize)
Supplier's network 400 with by can via the Internet and/or other network access one or more
Service (the most various types of calculating based on high in the clouds or storage) provides client 450.
Supplier's network 400 can include managing on behalf of another to be implemented and distributes the basis provided by supplier's network 400
Numerous data centers of various resource pools needed for structure and service, such as physics and/or virtual
Change computer server, the set of storage device, networked devices etc..In some embodiments,
Supplier's network 300 can provide calculating resource.In some embodiments, these can be calculated
Resource provides and is referred to as " example " 424 (the most virtually or physically calculated examples or storage example)
Unit in client.
Virtual computing example 424 can such as include having appointment computing capability, and (it can be by instruction
Type and quantity, the main memory size etc. of CPU are specified) and designated software stack is (such as,
The particular version of operating system, it can run then on the top of super manager) one or
Multiple servers.In various embodiments, multiple inhomogeneity can be used separately or in combination
The device that calculates of type implements the calculated examples 424 of supplier's network 400, including general or special
With computer server, storage device, network equipment etc..In some embodiments, example
Client 450 or other other user any can be configured (and/or mandate) by network flow
Amount is directed to calculated examples 424.
Calculated examples 424 is operable or implements various different platform, such as application server instance,
JavaTMVirtual machine (JVM), universal or special operating system, support various interpretation or volume
Translate the platform of programming language (such as Ruby, Perl, Python, C, C++ etc.) or suitable
In perform client 450 apply and such as without the high-performance of client 450 access instances 424
Calculate platform.In some embodiments, calculated examples had based on the expection uptime
Dissimilar or the configuration of ratio.The uptime ratio of specific calculation example can be defined as opening
The ratio of the time quantum of the dynamic example overall amount of time to retaining example.In some embodiments, just
Often run time ratio and be also referred to as utilization rate.If client expection uses calculated examples to reach reservation
The relatively small portion (30%-35% such as, retained up to a year) of the time of example, then
It is than example and fixed according to being associated that client can determine that example is left the low uptime
Valency policy pays the usage charges per hour given a discount.Example is needed to take if client expection has
The steady operation amount of most of the time, then client can retain the high uptime and compare example
And even lower usage charges per hour may be paid, but in some embodiments can be according to fixed
Valency policy collects hourly rate, regardless of number time actually used for the whole reservation persistent period
It is how many.In some embodiments, also can support for having the medium of corresponding pricing policy
Uptime than the option of example, wherein prepayment cost and per hour cost fall at corresponding height
Uptime than cost and low uptime than cost between.
Calculated examples configuration may also include the calculated examples with general service or special-purpose, all
Such as amount of calculation (such as, high flow capacity web application, the advertisement for compute-intensive applications
Service, batch processing, Video coding, distributed analysis, high-energy physics, genome analysis
And computational fluid dynamics), graphic intensive workload (such as, game crossfire, 3D application
Crossfire, server side graphical workload, manifest, finance models and engineering design), storage
Device intensity workload (such as, deposit by high-performance data storehouse, the speed buffering of distributed memory
Analyze in reservoir, memorizer, genome assembles and analyzes) and optimal storage workload (example
As, data warehousing and clustered file systems).The size of calculated examples, the most certain amount of
Virtual cpu core, memorizer, cache memory, storage device and any other
Performance Characteristics.The configuration of calculated examples may also include its at particular data center, available area,
Position in reason position, place etc. and (in the case of retaining calculated examples) retention period limit for length
Degree.
In each embodiment, calculated examples can be associated from one or more different secure group.
As mentioned above, secure group can at the member of secure group network traffics perform one or
Multiple network traffics policies.Member in secure group may be with the physical location of calculated examples or reality
Execute mode unrelated.The member that secure group legend 482 explanation is used in labelling secure group various not
Same shading.Such as, in identical virtualized host 420a implement calculated examples 424a1,
424a2,424a3 and 424a4 can belong to different secure group A, B and C.In different physical bit
Put place and implement other group membership, example 424b1,424b4 and 424n3 of such as secure group B.
Similarly, example 424a1,424a3,424b2 and 424n2 of the most differently positioning security group A
And example 424a2,424b3,424c1 and 424n4 of secure group C.Specific security group
Number of members or its association variable, and this had previously been discussed and explanation is not intended to limit specific
The quantity of the group membership in secure group.Each secure group A, B and C can be real for its member
Example performs respective network traffics policy.In some embodiments, in each secure group
One or more network traffics policies can include identical network entity handles (with above for Fig. 2
Discussed identical).It is previously described and is not intended to limit, but be intended only to illustrate for by supplier
Many different configurations possible for the calculated examples 424 that network 400 provides.
As illustrated in Figure 4, virtualized host 420 (such as virtualized host 420a, 420b
To 420n) can implement and/or manage multiple calculated examples 424 in some embodiments, and
One or more calculating devices, the calculating system 2000 such as described below with respect to Figure 12.
Virtualized host 320 can include that can illustrate and manage multiple different clients may have access to virtual
The virtualization management module 422 of machine or calculated examples 424, such as virtualization management module
422a, 422b to 422n.Virtualization management module 422 can include the super of such as operating system
Manager and admin instance, its can be referred to as in some embodiments " domain-zero " or
" dom0 " operating system.Dom0 operating system can be represented it by calculated examples 424 and run
Client-access, but can be responsible on the contrary network provider various management or control plane behaviour
Make, including processing the network traffics being directed to calculated examples 424 or guiding from calculated examples 424.
As illustrated in Figure 4, virtualization management module 422 can include control of network flow quantity device
426, such as control of network flow quantity device 426a, 426b to 426n.Control of network flow quantity device 426
Can be configured to perform various network traffics policy for calculated examples 424, such as can be based on meter
The secure group association calculating example 424 performs.Fig. 5 be according to some embodiments by virtualizing
The block diagram of the network traffics that the control of network flow quantity device of main frame processes.As discussed above, virtual
Change main frame 502 and can implement multiple calculated examples 520a, 520b, 520c to 520n.Virtualization
Main frame 502 also can implement virtualization management module 522 and control of network flow quantity device 516.Calculate
The network traffics 500 of example 520 can be from another network entity at control of network flow quantity device 516
It is received as inbound network traffics or is received as outbound network traffic from calculated examples 520.For connecing
The particular network traffic received, the recognizable particular network traffic by application of network traffics control 516
Policy, such as policy 518a, 518b and/or 518n.Such as, can use routing table or other
Metadata identifies the network traffics policy of particular instance 520.Network traffics policy can be applicable to
Network traffics, thus allow according to described policy, refuse, retrain, the network traffics such as restriction.
The network entity process included in policy can be expanded to describe according to below with respect to Fig. 6-11
Various technology processed by network entity apply quote in policy for network entity
Network address information.In some embodiments, control of network flow quantity device 516 can be from safety
Given network address information asked by group management service 440 and/or Network entity registers table 442.
In some embodiments, control of network flow quantity device can maintain and process reception for network entity
Multiple versions of network address information, and can according to from Secure group management service 440 and/or
The instruction of registration table 442 or based on self-determination restored version.
Although being illustrated as being implemented by virtualized host 420, but in some embodiments, can
(such as in different system or calculating device), network is implemented dividually with virtualized host 420
Flow controller 426.Can implement control of network flow quantity device 426 anywhere, specific seek
The network traffics of location element (such as, example 424) may need to be advanced through network traffics control
Device 426 processed is to arrive its destination (that is, in flow path).Therefore, Figure 4 and 5
In previously the discussing and being not intended to limit property of explanation of control of network flow quantity device.
Return to Fig. 4, in each embodiment, it is provided that person's network 400 can implement secure group
Management service 440, with such as by according to hereafter various technology described in Fig. 6-11 by net
The network address information specified in network entity entry in network registers entities table 442 provides
Control of network flow quantity device 426 and/or mapping services 430 manage secure group and update or change.
Secure group management service 440 can be implemented by one or more nodes, service, system or device,
The calculating system 2000 such as described below with respect to Figure 12.In some embodiments, safety
Group management service map information can be maintained control of network flow quantity device 426, calculated examples 424,
Between secure group, network traffics policy and certain entity process.In some embodiments,
The registrable audiomonitor of control of network flow quantity device 426 or otherwise instruction are real with particular network
The relation of body entry and Secure group management device service 440 is to receive about network entity entry
Renewal or notice.
In each embodiment, Secure group management service 440 can implement Network entity registers table
442.As discussed above for Fig. 1-3, Network entity registers table 442 can be configured to dimension
Hold the network entity entry of network entity, including network address information, network entity process and
Out of Memory, other version of such as version identifier, network entity entry and/or network are real
The deployment of body entry or scheduling.Network entity registers table 442 can be implemented as maintaining network
The data base of entity entries, index, structural data storage, other scheme.Implement at some
In scheme, association also can be maintained network traffics policy, processes including respective network entity
And/or the association of network security group.
Internal network 410 may be included between the different assemblies of supplier's network 400 (such as empty
Planization main frame 420, mapping services 430 and Secure group management service 440 and external network 460
(such as, the Internet) set up hardware necessary to networked link (such as, modem,
Router, switch, load balancer, proxy server etc.) and software (such as, agreement
Stack, accounting software, fire wall/fail-safe software etc.).In some embodiments, it is provided that person's net
Network 400 can use Internet protocol (IP) tunneling to provide overlay network, can use tunnel
Road passes through internal network 410 with the packet via the transmission encapsulation of described overlay network.IP is tunneling
Technology can provide mapping and package system for creating overlay network and can on network 410
There is provided independent name space for cover layer and internal network 110 layers.Can compare in cover layer
Packet and mapping directory (such as, mapping services 430 providing) to determine its tunnel mesh
What mark should be.IP tunneling provides virtual network topology;To connecing that client 450 presents
Mouth could attach to overlay network and makes to provide it to want packet to be sent in client 450
During IP address, by with know that IP overlay address mapping services wherein (such as, maps
Service 130) communicate and in Virtual Space, run IP address.In some embodiments, reflect
Penetrate service 430 control of network flow quantity policy can be provided various control of network flow quantity device 426 with
For performing.In these embodiments, mapping services 430 can obtain or possess for net
The access of the network address information that the network entity that network Flow Policy includes processes, and by network
Address information provides control of network flow quantity device 426 for execution.In each embodiment,
Mapping services 430 can receive the network address information for network traffics policy to extend net
Network entity handles.Then, can provide to process the network entity of extension by mapping services 430 and carry
It is fed to perform to include the respective network traffics control of the network traffics policy that network entity processes
Device processed.
Client 450 can include can being configured to submit any of request to network provider 400
The client of type.Such as, given client 450 can include the appropriate version of web browser,
Maybe can include being configured to carry out the extended edition performing environment for being provided by web browser or
The plug-in unit performed in the execution environment provided by web browser or other type of code mould
Block.Alternately, client 450 can include using calculated examples 424 to perform various behaviour
The application made, such as database application (or its user interface), media application, office answer
With or any other application.In some embodiments, this application can include for generate and
Process network service request and without real for all types of network data
Execute enough agreement supports of browser support with all strength (such as, to super word transportation protocol (HTTP)
Appropriate version).In some embodiments, client 450 can be configured to according to statement
Sexual state shifts the network service architecture of (REST) pattern, based on document or message
Network service architecture or another suitable network service architecture, generate based on
The service request of network.In some embodiments, client 450 (such as, calculates client
End) can be configured to in the client utilizing the calculating resource provided by calculated examples 424
The transparent mode of applying implemented on 424 provides the access to calculated examples 424.
Network service request can be delivered to carry via external network 460 by client 450
Donor network 400.In each embodiment, external network 460 may be included in client 450
And it is any suitable to set up between supplier's network 400 necessary to network communication
Net hardware and combination of protocols.Such as, network 460 generally can include jointly implementing the Internet
Various communication networks and ISP.Network 460 may also include private network (such as local
Net (LAN) or wide area network (WAN)) and public or private wireless network.Such as, give
Determine both client 450 and supplier's network 400 to be respectively provided in there is himself in-house network
In the enterprise of network.In this embodiment, network 460 may be included in given client 450
And set up networked link institute between the Internet and between the Internet and supplier's network 400
Required hardware (such as, modem, router, switch, load balancer, generation
Reason server etc.) and software (such as, protocol stack, accounting software, fire wall/fail-safe software
Deng).It should be noted that in some embodiments, client 450 can use private network rather than
Public internet communicates with supplier's network 400.
Fig. 6 is that network entity entry owner according to some embodiments, network entity are described
Mutual block diagram in the middle of entry modifier and Network entity registers table.Network entity registers table
442 (or Secure group management device services 440) can implement interface 600, such as DLL (example
As, API) or graphic interface, can be via described interface 600 to Network entity registers table 400
File a request.(it utilizes the calculating of supplier's network to network entity entry owner 602
Example or other calculating resource implement supplier's network 400 of various application, services or functionalities
Client or trustable network entity entries supplier) can be to Network entity registers table 442
Register 610 network entity entries.(such as, Network entity registers table 442 can receive registration request
If effectively identity or authentication proof book are included in described request).In some embodiments,
Improper or create without permission or more newly requested generate the error message sending back to requestor.
Such as, in some embodiments, some network entity entries are static.Quiet for updating
The request of state network entity entry can return to the request for updating static network entity entries
Mistake or refusal.In some embodiments, can by the notice of network entity entry (and/or
Given network address information for described entry) provide 620 to performing to include the place to entry
The control of network flow quantity device 606 of the network traffics policy of reason.
In some embodiments, (it is not that network is real to network entity entry modifier 604
The owner of body entry) Network entity registers table 442 can be sent to more by more newly requested 630
New certain entity entry.In some embodiments, can be by from network entity entry
The request of owner 602 updates approval and obtains renewal approval, as indicated by 640.If
Approved (if such as receiving approval 650 from network entity entry owner 602), then
Can will update network entity entry (and/or given network address information of described renewal entry)
Notice provide 660 to the network flow of network traffics policies performing to include the process to entry
Amount controller 606.In some embodiments, if do not got the Green Light, then can be in registration
Recover the previous version of entry at table 442, maybe can send and may receive network address information
Indicate control of network flow quantity device to recover or obtain the network ground for network entity entry
The different editions of location information.In some embodiments, the renewal to network entity entry 630
Or change is interim (such as, having appointment or acquiescence effect time period).Implement at some
In scheme, update authorizing again of approval 650 change and (again update or permanent as interim
Sexually revise).
Fig. 7 is that traffic sources, control of network flow quantity device and the network according to some embodiments is described
Mutual block diagram in the middle of registers entities table.Control of network flow quantity device 760 can perform network traffics
Policy (as above for described by Fig. 5), including comprising the network traffics that network entity processes
Policy.Control of network flow quantity device 760 (can close above via Network entity registers table interface 600
In described by Fig. 6) receive network address information from Network entity registers table 442, its with by
The process that the network traffics policy that control of network flow quantity device 760 performs includes is relevant.Can assess
(it flows out to outside mesh from calculated examples to the network traffics 700 received from traffic sources 750
Ground flow or inbound time for specific calculation example receive flow).704 bags can be applied
The policy of purse rope network entity handles with for the network entity in Network entity registers table 442
The given network address information of current entries.If network entity entry changes, update or
Amendment, then can be by for updating the network address information of entry from Network entity registers table 442
There is provided 740 to control of network flow quantity device 760.Such as, can send a notification to use entry
The controller 760 of redaction.Then, controller 760 can ask the redaction for entry
Given network address information.Alternately, in some embodiments, controller 760 can
Periodically (or aperiodically) controlling to registration table 442 poll of the redaction of entry
The process that the network policy performed at device 760 includes.In some embodiments, carrying out
During renewal, can will release network traffics for the network address information updating network entity entry
Controller 760.Once provide and update the network address information that network entity entry is associated
740, then can assess the network traffics 720 and application network flow received at controller 760
Policy and the given network address information for renewal entry, as indicated by 722.
Given for for above about the virtual computing resource provided by supplier's network
The network that the network traffics policy that the supplier's network discussed about Fig. 4-7 performs includes is real
Body processes the example implementing Network entity registers table.Other types various or supplier's net of configuration
Network can implement these technology.Other virtual computing resource (such as, for its implement secure group and
Network traffics policy) Network entity registers table can be implemented.Such as, dummy block storage volume can perform
The network traffics policy guided towards indivedual storage volume.Fig. 8 is to illustrate according to some embodiments
For for include in the network traffics policy performed for supplier's network network reality
Body processes various methods and the high level flow chart of technology implementing Network entity registers table.Can use
As above for each assembly of the virtual computing resource provider described in Fig. 4-7 or other provide
Person's networking component implements these technology.
As indicated by 810, multiple network entity entries can be maintained Network entity registers
At table, each of which specify at control of network flow quantity device in supplier's network can
The network address letter that the network entity that the network traffics policy that addressed elements performs includes processes
Breath.As mentioned above, in some embodiments, but addressable element supplier's network
Middle reception and send the calculating resource of network traffics or other device, can be by control of network flow quantity device
One or more network traffics policies are performed for described network traffics.Network entity registers table can
Maintain include for identify network entity and/or communicate with network entity for network entity
Network address information be (such as IP address, IP address range, mask and other form various
Network address information) entry (as above for mentioned by Fig. 3).Network entity entry is also
Can include may be included in network traffics policy and specify the net for network traffics policy with instruction
The process of the network entity entry of network address information, such as processes reference or identifier.At some
In embodiment, can maintain identify network entity entry particular version (such as, version number or
Timestamp) version identifier.In some embodiments, in addition to current entity entry,
Also can maintain multiple previous versions of entity entries.
As indicated by 820, in some embodiments, can receive for updating ad hoc networks
The request of network entity entries.Such as, the more newly requested network ground that may want to change in entity
Location information (such as, is added new IP address in new subnet, is changed IP address range, add
Difference or exchange), change the deployment information for network entity entry (such as, to network flow
Amount controller) or any other of network entity entry is changed.In some embodiments,
Various authentication check or agreement can be performed.Such as, it may be verified that the identity of requestor, and can be true
The fixed mandate being used for performing to update.In response to receiving request, particular network can be updated according to request
Entity entries, as indicated by 830.
As indicated by 840, the network address information that can will specify in updating Net entry
There is provided and supplier's network performs include for updating at the network entity of network entity entry
The control of network flow quantity device of the network traffics policy of reason.Such as, can be by multiple control of network flow quantities
Multiple control of network flow quantity policies implemented by device.The subgroup of these control of network flow quantity devices can perform bag
Include the network traffics policy of process to the certain entity entry updated.Therefore, at each
In embodiment, the net that network traffics policy can will be specified to provide control of network flow quantity device subgroup
Network flow controller.In some embodiments, can not directly network traffic information be provided
Control of network flow quantity device.On the contrary, can be provided by network traffic information finally can be to network traffics
Controller provides intermediate system or the device of network traffic information.Such as, mapping services or other
System registrable and receive for network entity process network address information and renewal/offers/
Send/reconfigure and perform to include that network entity processes and the network address information for renewal entry
The control of network flow quantity device of policy.
In at least some embodiment, it may not be necessary to perform new network entity entry or to network
The renewal of entity entries, in order to network address information is provided control of network flow quantity device.Therefore,
In some embodiments, element 820 and 830 can not be performed, but on the contrary for given net
Network entity entries, can provide the network traffics performing to include described entry by network address information
The control of network flow quantity device subgroup of policy.Also can apply the various technology for providing the network information,
That is discussed the most above and below pushes or pulls on model.Such as, though network address information not yet
Change, still can periodically will be sent to for the network address information of heterogeneous networks entity entries
Control of network flow quantity device.
In some embodiments, network entity entry updates the most interim.Such as, update
Request may specify the persistent period for the renewal to network entity entry.In some embodiments
In, when the time period of entry expires, network entity entry can return to the previous version of entry.
In some embodiments, some network entity entries static state or unalterable, and
Therefore can not update (but it can be deleted and/or can delete the network including that static network processes
Flow Policy).
In every way network address information can be provided control of network flow quantity device.Real at some
Executing in scheme, recognizable execution includes the network of the process to the certain entity entry updated
The control of network flow quantity device of Flow Policy.Such as, control of network flow quantity device registrable or ask right
The renewal specifying network entity process at Network entity registers table.Based on this log-on message,
The recognizable control of network flow quantity device for certain entity entry.In some embodiments,
Network traffics entity controller can ask the new of the network address information for network entity entry
Version (such as, as the part of poll behavior).Also can be according to the progress of deployment by the network address
Information provides control of network flow quantity device.Such as, the network address information of redaction is being provided
Before the calculated examples being positioned in data center B 2 hours, can be to for being positioned at data
The control of network flow quantity device that calculated examples in the A of center is implemented provides described network address information.
In some embodiments, randomization can be implemented and dispose progress to stop by random and not stop
Network traffics come analog network interruption and other problem by updating network entity entry.
In some embodiments, can be created by many different entities, register, update or with it
Its mode revises network entity entry.In some embodiments, have, control, configure or
Client or other user of supplier's network of management calculating resource can be arranged or be associated in
For network traffics policy and the network entity entry of secure group and/or secure group, at network
Flow Policy includes the process to described network entity entry.Such as, web service is (such as,
Content distribution service) developer or supplier may utilize multiple calculated examples and be associated difference
Example, wherein have one or more secure group of network traffics policy of enclosing for process towards
Various types of network traffics that the calculated examples of web service guides.Developer also can authorize
Tripartite's (or other entity) updates or reconfigures the network entity entry for web service.
If such as content distribution service allows other service be connected to website or media are uploaded to net
Stand (such as, social media service), then content distribution service can authorize credible social media
Service updates and is processed, by the network entity included in network traffics policy, the network entity quoted
Entry, described network traffics policy allows flow to described process.Various authorization technique can be used
Appointing and/or authorizing is not that network entity entry owner (such as, is not and policy-objects
The owner of the calculated examples of the associated network flow control policy being associated) other entity.
Fig. 9 is illustrate according to some embodiments right for obtaining from network entity entry owner
The various methods of the approval of the renewal of network entity entry and the high level flow chart of technology.
As indicated by 910, can receive be not from network entity entry owner for
Network entity entry more newly requested.In each embodiment, more newly requested include various
Certification certificate (such as, identity token) and/or the certificate of authority.In some embodiments,
Can be at least partially based on that to be not from these or other certificate of network entity entry owner true
Fixed more newly requested.Described request can include the change (example to the network entity entry that will apply
As, extra that allow or different IP address).Can register, create and/or revise according to being used for
The network entity entry at registration table (registration table 442 such as described above for Fig. 4) place
Interface (such as api interface) formats and receives more newly requested.In some embodiments,
The renewal to network entity entry can be performed and be provided to execution and include for network entity
The control of network flow quantity device of the network traffics policy that the network entity of entry processes is (such as by above
The various technology discussed about Fig. 8 describe).In some embodiments, can extraly by
Update network entity entry to be labeled as temporarily or without approval.To network entity entry without batch
Quasi-change can trigger additionally ratifies mechanism.
Such as, as indicated by 920, in some embodiments, can be from network entity bar
The mesh owner request approval to the renewal of network entity entry.As mentioned above, net is described
The metadata of network entity entries can include the network that can be used for implementing or update network entity entry
The identity of entity entries owner, preferred contact method, to the approval in advance of policy-objects or warp
Authorize and update or out of Memory.Can be by sending a message to via Secure group management service interface
Policy-objects owner request for permission.Such as, as the client of virtual computing resource provider
End, network entity entry owner can have graphical user interface (such as control panel)
Access, the network entity entry that described graphical user interface passes on notice to ratify a motion can be had
The instruction of person, warning or alternate manner.In some embodiments, can will preferably notify in advance
Or contact method provides Secure group management service, described preferably notice or contact method may indicate that
Indicate that Email, word message or call are directed towards certain accounts or telephone number guides.
The information of the entity identities describing change and amendment network entity entry may be included in approval please
In asking.Can use and provide approval via its identical or different communication means proposing to ratify a motion.
In some embodiments, ratify a motion and can include changing the amendment of self or real to network
The embodiment of body entry, the change dispatched or perform.
In some embodiments, if got the Green Light (as by actively moving back from element 930
Go out indicated), then the network address information for renewal network entity entry can be maintained, as
Indicated by 940.Such as, in some embodiments, network entity entry will can be updated
It is labeled as approved or removes from changing inventory without approval, in order to making network entity entry change
Change is permanent.(such as, in special time period, passiveness is received if do not got the Green Light
Or response without approval) (as indicated by exit from the passiveness of element 930), then can provide
The instruction of the previous version of the network address information specified in network entity entry will be performed,
As indicated by 950.
Figure 10 be illustrate according to some embodiments for registered network flow controller to connect
The narrowing net to the network entity process to the network entity entry in Network entity registers table
The various methods of network address information and the high level flow chart of technology.As indicated by 1010,
Registration request can be sent to Network entity registers table and perform bag for control of network flow quantity device
Include the network traffics policy of process for network entity entry.Such as, registration request may specify
Notice or the update mechanism of the renewal receiving network entity entry is listd under such as passing through:
Perform to include when updating for the given network address information for network entity entry will be updated
It is sent to control of network flow quantity device (or being only used for notifying that control of network flow quantity device performs renewal)
Request.In some embodiments, as indicated by 1020, can be at control of network flow quantity
Given network address information is received from Network entity registers table at device.In some embodiments,
Can store this appointment information partly (may be together with for the network reality to network entity entry
The previous version of the network address information that body processes).As indicated by 1030, can be at flow
Network traffics and the recognizable network entity included for network entity entry is received at controller
The network traffics policy processed.The network traffics policy that can perform to identify makes can use for net
The given network address information that network entity handles receives performs network traffics policy, as 1040
(such as, stop or allow network address information to be identified as " 121.133.130.01 " indicated by Chu
" Bob_network ").
As mentioned above, in some embodiments, control of network flow quantity device can ask for
Update the network address information of network entity entry.Figure 11 is to illustrate according to some embodiments
For obtaining for the various methods of given network address information updating network entity entry
High level flow chart with technology.In some embodiments, as indicated by 1110, can
By real for the network that the network traffics policy performed at control of network flow quantity device is included
The request of the renewal network address information that body processes is sent to Network entity registers table.Such as, please
Ask the version number that can include for network entity entry.If can make at Network entity registers table
By more top version number, then renewal network address information can be provided.Provided that update network ground
Location information (as by indicated by 1120 actively exit), then appointment network ground can be used
Location information performs the network traffics political affairs including processing for the network entity of network entity entry
Plan, as indicated by 1130.But, if not receiving renewal or not noting from network entity
Volume table receives response, then polling cycle can be allowed to send for updating network address information
Before another request, (as indicated by 1110) disappear, as illustrated by 1122.
In view of following clause the embodiment of the disclosure can be described:
1. a system, comprising:
Multiple calculating nodes, it implements supplier's network, and wherein said supplier's network implementation is many
Individual control of network flow quantity device, each in wherein said multiple control of network flow quantity devices is for institute
State the one or more addressable element in supplier's network and perform respective network traffics policy;
Network entity registers table, it is configured to:
Maintaining multiple network entity entry, each of which is specified in the plurality of network traffics
Respective one or more network flows in the plurality of network traffics policy performed at controller
The network address information that the network entity that amount policy includes processes;
Receive the request for updating specific in the plurality of network entity entry;
In response to receiving described request:
According to described more newly requested, update described certain entity entry, wherein said multiple
The subgroup of control of network flow quantity device performs network traffics policy, and described network traffics policy includes pin
Network entity to the described network address information specified in described certain entity entry
Process;And
The described network address information specified in described renewal network entity entry is provided
Execution includes described respective one or more network traffics policies that described network entity processes
The control of network flow quantity device of the described subgroup of control of network flow quantity device, in order to according in described renewal
The described network address information specified in network entity entry performs described the most one or more
Network traffics policy.
2. according to the system described in clause 1, wherein in order to will be in described renewal network entity entry
The middle described network address information specified provides execution to include the institute that described network entity processes
State the network of the described control of network flow quantity device subgroup of respective one or more network traffics policy
Flow controller, described Network entity registers table is configured to:
Described respective one or more network traffics that described network entity processes are included from execution
Each in the described control of network flow quantity device of the described subgroup of the control of network flow quantity device of policy
Individual reception is asked;And
Described control of network flow quantity device in response to the described subgroup from control of network flow quantity device
Each request, the described network address information of described renewal network entity entry is sent to
Described request control of network flow quantity device.
3. according to the system described in clause 1, wherein in order to will be in described renewal network entity entry
The middle described network address information specified provides execution to include the institute that described network entity processes
State the network of the described control of network flow quantity device subgroup of respective one or more network traffics policy
Flow controller, described Network entity registers table is configured to:
Identify and perform to include described respective one or more network flows that described network entity processes
Every in the described control of network flow quantity device of the described subgroup of the control of network flow quantity device of amount policy
One;And
The described network address information of described renewal network entity entry is sent to network traffics
The control of network flow quantity device of the described identification of the described subgroup of controller.
4., according to the system described in clause 1, wherein said supplier's network is virtual computing resource
Supplier, the described addressable element in wherein said supplier's network is calculated examples, wherein
Described control of network flow quantity device each of which implements the one or more calculated examples same
Different virtualized host on implement, described control of network flow quantity device is for the one or more
Calculated examples performs respective network traffics policy, wherein for the specific peace in multiple secure group
The member of full group performs each in described respective network traffics policy, and wherein said one
Individual or multiple calculated examples are the members of the one or more secure group in the plurality of secure group.
5. a method, comprising:
Performed by one or more calculating devices:
Maintaining at Network entity registers table by multiple network entity entries, each of which specifies pin
To in the respective one or more network traffics policies performed at multiple control of network flow quantity devices
Including network entity process network address information, wherein said multiple control of network flow quantity devices
In each in supplier's network one or more addressable element perform respective
Network traffics policy;
For given network entity entry, the institute that will specify in described given network entity entry
Stating network address information provides execution to include the network traffics policy that described network entity processes
The control of network flow quantity device of subgroup of control of network flow quantity device, in order to according at described given net
The described network address information specified in network entity entries performs described network traffics policy.
6. according to the method described in clause 5, wherein said will be in described given network entity entry
The middle described network address information specified provides described in described control of network flow quantity device subgroup
Control of network flow quantity device includes:
Described respective one or more network traffics that described network entity processes are included from execution
Each in the described control of network flow quantity device of the described subgroup of the control of network flow quantity device of policy
Individual reception is asked;And
Described control of network flow quantity device in response to the described subgroup from control of network flow quantity device
Each request, the described network address information of described given network entity entry is sent to
Described request control of network flow quantity device.
7. according to the method described in clause 5, wherein said will be in described given network entity entry
The middle described network address information specified provides described in described control of network flow quantity device subgroup
Control of network flow quantity device includes:
Identify and perform to include described respective one or more network flows that described network entity processes
Every in the described control of network flow quantity device of the described subgroup of the control of network flow quantity device of amount policy
One;And
The described network address information of described given network entity entry is sent to network traffics
The control of network flow quantity device of the described identification of the described subgroup of controller.
8. according to the method described in clause 5, wherein according to the portion of described renewal network entity entry
Administration's progress, performs the described described network address will specified in described given network entity entry
Information provides the described control of network flow quantity device of described control of network flow quantity device subgroup so that
With another addressable in the one or more addressable element in described supplier's network
The time that element is different, for the one or more the addressable unit in described supplier's network
At least one addressable element in part performs to include the described network that described network entity processes
Flow Policy.
9., according to the method described in clause 5, it also includes:
Receive the request being used for updating described given network entity entry;
In response to receiving described request:
According to described more newly requested, update described given network entity entry;And
Perform the described described network address letter will specified in described given network entity entry
Breath provides the described control of network flow quantity device of the described subgroup of control of network flow quantity device.
10. according to the method described in clause 9, the most not from described given network entity entry
Network entity entry owner reception is used for updating the described of described given network entity entry please
Ask, and wherein said method also include:
In response to receiving described request:
From the described network entity entry owner request institute to described given network entity entry
State the approval of renewal;And
Obtain described given network entity bar in response to from described network entity entry owner
The approval updated described in purpose, performs the described given network entity entry of described renewal and described carries
For the described network address information specified in described given network entity entry.
11. according to the method described in clause 9, the most not from described given network entity entry
Network entity entry owner reception is used for updating the described of described given network entity entry please
Ask, and wherein said method also include:
In response to receiving described request:
From the network entity object entry request described renewal to described given network entity entry
Approval;And
In response to obtaining described given network real from described network entity entry owner
The approval of the described renewal of body entry, includes, to execution, the described network that described network entity processes
The described control of network flow quantity device instruction of the described subgroup of the control of network flow quantity device of Flow Policy
The previous network address information processed for described network entity will be performed.
12. according to the method described in clause 5, and it also includes:
Receive and be used for updating another network entity entry in the plurality of network entity entry
Request, is wherein maintained static network entity entries by another physical network entity entry;And
In response to receiving for more newly requested described in described static network entity entries, refuse institute
State more newly requested.
13. according to the method described in clause 5, and wherein said supplier's network is virtual computing money
Source supplier, the described addressable element in wherein said supplier's network is calculated examples, its
Described in control of network flow quantity device each of which implement the one or more calculate real same
Implementing in the different virtualized host of example, described control of network flow quantity device is for one or many
Individual calculated examples performs respective network traffics policy, wherein specific in multiple secure group
The member of secure group performs each in described respective network traffics policy, and wherein said
One or more calculated examples are the one-tenth of the one or more secure group in the plurality of secure group
Member.
14. 1 kinds of non-transitory computer-readable storage media, it is stored in by one or more
Calculate and when device performs, promote the one or more to calculate the program that device enforcement is following
Instruction:
Maintaining at Network entity registers table by multiple network entity entries, each of which specifies pin
To in the respective one or more network traffics policies performed at multiple control of network flow quantity devices
Including network entity process network address information, wherein said multiple control of network flow quantity devices
In each in supplier's network one or more addressable element perform respective
Network traffics policy;
Receive and be used for updating certain entity entry in the plurality of network entity entry
Request;
In response to receiving described request:
According to described more newly requested, update described certain entity entry, wherein said multiple
The subgroup of control of network flow quantity device performs network traffics policy, and described network traffics policy includes pin
Network entity to the described network address information specified in described certain entity entry
Process;And
The described network address information specified in described renewal network entity entry is provided
Execution includes described respective one or more network traffics policies that described network entity processes
The control of network flow quantity device of described control of network flow quantity device subgroup, in order to according at described renewal net
The described network address information specified in network entity entries performs described respective one or more nets
Network Flow Policy.
15. according to the non-transitory computer-readable storage media described in clause 14, wherein in institute
State to provide the described network address information specified in described renewal network entity entry and hold
Row includes the institute of described respective one or more network traffics policies that described network entity processes
Stating in the described control of network flow quantity device of control of network flow quantity device subgroup, described programmed instruction also promotees
Make the one or more calculate device to implement:
Described respective one or more network traffics that described network entity processes are included from execution
Each in the described control of network flow quantity device of the described subgroup of the control of network flow quantity device of policy
Individual reception is asked;And
In response to the described control of network flow quantity device from described control of network flow quantity device subgroup
Each request, is sent to institute by the described network address information of described renewal network entity entry
State request control of network flow quantity device.
16. according to the non-transitory computer-readable storage media described in clause 14, wherein in institute
State to provide the described network address information specified in described renewal network entity entry and hold
Row includes the institute of described respective one or more network traffics policies that described network entity processes
Stating in the described control of network flow quantity device of control of network flow quantity device subgroup, described programmed instruction also promotees
Make the one or more calculate device to implement:
Identify and perform to include described respective one or more network flows that described network entity processes
Every in the described control of network flow quantity device of the described subgroup of the control of network flow quantity device of amount policy
One;And
The described network address information of described renewal network entity entry is sent to described network
The control of network flow quantity device of the described identification of flow controller subgroup.
17. according to the non-transitory computer-readable storage media described in clause 16, wherein said
Programmed instruction also promotes the one or more calculating device to implement:
Before performing described identification described control of network flow quantity device, include described network from execution
The described control of network flow quantity of described respective one or more network traffics policies of entity handles
The described control of network flow quantity device of device subgroup receives registration request;
Wherein said identification described control of network flow quantity device is at least partially based on described registration request.
18. according to the non-transitory computer-readable storage media described in clause 14, wherein said
The more redaction of certain entity object is the temporary version of described certain entity object,
And wherein said programmed instruction also promotes the one or more to calculate device to implement:
When the time period of the described temporary version of described certain entity object expires, to
Described respective one or more nets by the described renewal Description of ××× (Release name) of described network entity object
The one or more network traffics control instruction that network Flow Policy is associated will perform institute
State the previous version of network entity object.
19. according to the non-transitory computer-readable storage media described in clause 14, the most not from
The network entity object owner of described certain entity object receives and is used for updating described spy
Determine the described request of network entity object, and wherein said programmed instruction also promote one or
Multiple calculating devices are implemented:
In response to receiving described request:
From the described network entity object owner request institute to described certain entity object
State the approval of renewal;And
Obtain described certain entity pair in response to from described network entity object owner
The approval of the described renewal of elephant, perform described establishment described certain entity object described more
Redaction and the described more redaction of described offer described network entity object.
20. according to the non-transitory computer-readable storage media described in clause 14, wherein said
Supplier's network is virtual computing resource provider, and described in wherein said supplier's network can
Addressed elements is calculated examples, and wherein said control of network flow quantity device each of which is implemented same
Implement in the different virtualized host of the one or more calculated examples, described network traffics control
Device processed performs respective network traffics policy, Qi Zhongzhen for the one or more calculated examples
The member of the specific security group in multiple secure group is performed described respective network traffics policy
In each, and wherein said one or more calculated examples is in the plurality of secure group
The member of one or more secure group.
In each embodiment, can implement described herein by any combination of hardware
Method.Such as, in one embodiment, can by include performing one of programmed instruction or
Computer system (such as, such as the computer system in Figure 12) embodiment party of multiple processors
Method, described programmed instruction is stored on the computer-readable recording medium being couple to described processor.
Programmed instruction can be arranged to implement function described herein (such as, implement described herein
The various servers of virtual computing resource provider and the function of other assembly).Such as institute in figure
Illustrate and various method representation exemplary method embodiment described herein.Can change any
The order of method, and can add, resequence, combine, omit, the various elements such as amendment.
Use can be performed in one or more computer systems that can be mutual with other devices various
Secure group in the secure group policy being dynamically updated virtual computing resource as described in this article
The embodiment of management.Figure 12 explanation is according to the exemplary computer system of each embodiment
Block diagram.Such as, in various embodiments, computer system 2000 can be configured to reality
Play tricks calculation cluster, the storage of distributed key Value Data and/or the node of client.Computer system
2000 any one of polytype devices, include but not limited to personal computer
System, desktop PC, on knee or mobile computer, mainframe computer system, hand-held
Computer, work station, network computer, consumer devices, application server, storage device,
Phone, mobile phone or (generally) any kind of calculating device.
Computer system 2000 includes being couple to via input/output (I/O) interface 2030
One or more processors 2010 of system memorizer 2020 (therein any one can include can
It is single-threaded or multiple cores of multithreading).Computer system 2000 also includes being couple to I/O
The network interface 2040 of interface 2030.In each embodiment, computer system 2000
Include the single processor system of a processor 2010 or include some processors 2010
The multicomputer system of (such as, two, four, eight or another suitable quantity).Process
Device 2010 is able to carry out any suitable processor of instruction.Such as, each embodiment party
In case, processor 2010 implements the general or embedding of any various instruction set architecture (ISA)
Enter formula processor, such as x86, PowerPC, SPARC or MIPS ISA or any its
Its suitable ISA.In a multi-processor system, each in processor 2010 can (generally
But may not) implement identical ISA.Computer system 2000 also includes for passing through communication network
(such as, the Internet, LAN etc.) is one or more with what other system and/or assembly communicated
Network communication device (such as, network interface 2040).Such as, system 2000 performs
Client application can use network interface 2040 with Single-Server or implement retouch herein
The service performed in the cluster of the server of one or more assemblies of the data warehouse stated
Device application communication.In another example, the server application performed in computer system 2000
Example can use network interface 2040 with can other computer system (such as, calculate
Machine system 2090) go up other example (or the application of another server) that the server implemented is applied
Communication.
In illustrated embodiment, computer system 2000 also include one or more forever
Property storage device 2060 and/or one or more I/O device 2080.In each embodiment,
Permanent storage device 2060 may correspond to disk drive, magnetic tape controller, solid-state memory, other
Mass storage device or other permanent storage device any.Computer system 2000 (or
The Distributed Application operated thereon or operating system) can (as required) will instruction and/or
Data are stored in permanent storage device 2060, and (as required) can retrieve storage
Instruction and/or data.Such as, in some embodiments, computer system 2000 can be managed on behalf of another
Storage system service device node, and permanence storage equipment 2060 can include being attached to described clothes
The SSD of business device node.
Computer system 2000 includes being configured to store the instruction that can be accessed by processor 2010
One or more system storages 2020 with data.In each embodiment, can use
Any suitable memory technology implementation (such as, following one or more: cache memory,
Static random-access memory (SRAM), DRAM, RDRAM, EDO RAM, DDR
10RAM, synchronous dynamic ram (SDRAM), Rambus RAM, EEPROM, non-
Volatibility/flash type memory or any other type of memorizer) system storage 2020.
System storage 2020 can include can performing to implement side described herein by processor 2010
The programmed instruction 2025 of method and technology.In each embodiment, can enter with platform the machine two
System, any interpretive language (such as Java byte code) or any other Languages is (such as
C/C++, JavaTM etc.) or its any assembly coding programmed instruction 2025.Such as, in institute
Illustrating in embodiment, programmed instruction 2025 includes can performing with real in various embodiments
Execute the programmed instruction of the function of virtual computing resource provider network.In some embodiments,
Programmed instruction 2025 can implement independent client, server node and/or other assembly.
In some embodiments, programmed instruction 2025 can include can performing to implement respectively
Any one of kind of operating system (UNIX, LINUX, SolarisTM, MacOSTM,
WindowsTM etc.) the instruction of operating system (not shown).Any or all program refers to
Non-transitory computer that instruction is stored thereon can to make 2025 to may be provided as including having
Reading computer program or the software of storage medium, described instruction can be used to computer system
(or other electronic installation) programming is to perform process according to each embodiment.Non-transitory meter
Calculation machine readable storage medium storing program for executing can include for the shape can be read by machine (such as, computer)
Any mechanism of formula (such as, software, process application) storage information.In general, non-temporarily
Time property computer accessible can include being couple to computer system via I/O interface 2030
The computer-readable recording medium of 2000 or storage medium, such as magnetizing mediums or optical medium,
Such as, disk or DVD/CD-ROM.Non-transitory computer-readable storage media also can be wrapped
Include some embodiments that may be included in computer system 2000 (such as system storage 2020
Or any kind of memorizer) in any volatibility or non-volatile media, such as RAM
(such as, SDRAM, DDR SDRAM, RDRAM, SRAM etc.), ROM etc..
In other embodiments, can use via such as can via network interface 2040 implement logical
Optics, acoustics or other form that letter medium (such as network and/or wireless link) delivers
Transmitting signal (such as, carrier wave, infrared signal, digital signal etc.) passes on programmed instruction.
In some embodiments, can include can be as described in this article for system storage 2020
The well matched data storage 2045 put.Generally, system storage 2020 (such as, system storage
Data storage 2045 in device 2020), permanence storage equipment 2060 and/or remote storage set
Standby 2070 can store data block, data block copy is associated with data block and/or its state
Metadata, configuration information and/or can be used for implementing in method described herein and technology
Any out of Memory.
In one embodiment, I/O interface 2030 can be configured to coprocessor 2010,
The I/O flow between any peripheral unit in system storage 2020 and system, including leading to
Cross network interface 2040 or other peripheral interface.In some embodiments, I/O interface 2030
Any required agreement, sequential or the conversion of other data can be performed with will from an assembly (such as,
System storage 2020) data signal be converted into be suitable to by another assembly (such as, process
Device 2010) form that uses.In some embodiments, I/O interface 2030 can include right
Device (for example, the such as periphery component interconnection being attached by various types of peripheral buses
(PCI) bus standard or the variant of USB (universal serial bus) (USB) standard) support.?
In some embodiments, the function of I/O interface 2030 is divided into two or more independent group
Part, for example, such as north bridge and south bridge.Furthermore, in some embodiments, I/O connects
The some or all of functions (such as arriving the interface of system storage 2020) of mouth 2030 can be direct
It is incorporated in processor 2010.
Such as, network interface 2040 can be configured to allow in computer system 2000 and attachment
To other device of network, (such as (it can implement to retouch herein other computer system 2090
One or more storage system service device nodes of the Database Systems stated, database engine cephalomere
Point and/or client)) swapping data.Extraly, network interface 2040 can be configured
Allow computer system 2000 and various I/O devices 2050 and/or remote storage device 2070
Between communication.In some embodiments, input/output device 2050 can include being suitable to by
One or more computer systems 2000 input or retrieve one or more display terminals of data
Machine, keyboard, keypad, touch panel, scanning means, voice or optical identification device or any
Other device.Multiple input/output devices 2050 may be present in computer system 2000 or
Can be distributed on the various nodes of the distributed system including computer system 2000.At some
In embodiment, similar input/output device can separate with computer system 2000 and can pass through
Wired or wireless connection (such as by network interface 2040) with include computer system 2000
One or more nodes of distributed system mutual.Network interface 2040 generally can support one
Individual or multiple WAP (such as, Wi-Fi/IEEE 802.11 or another Wireless Networking marks
Accurate).But, in each embodiment, network interface 2040 can be via any the most wired
Or wireless general data networks (for example, the most other type of ethernet network) support
Communication.Extraly, network interface 2040 can be via telecommunication/telephone network (such as analog voice
Network or digital fiber communication network), via storage area network (such as fiber channel SAN)
Or the network and/or agreement support via other suitable type any communicates.Each embodiment party
In case, computer system 2000 can include being more than, being less than or be different from illustrated in fig. 12
Assembly (such as, display, video card, audio card, peripheral unit, other network interface,
Such as atm interface, Ethernet interface, Frame Relay Interface etc.).
It should be noted that any distributed system embodiment described herein or its assembly any can
It is implemented as one or more network service.Such as, the calculating cluster in service is calculated
Employing Distributed Calculation described herein can be presented to client (such as network service)
The calculating service of system and/or other type of service.In some embodiments, can be by quilt
Design comes the software mutual by network support interoperable Machine To Machine and/or hardware system
Implement network service.Network service can have (all in a machine-processable format
As web service describes language (WSDL)) interface that describes.Other system can by based on
The mode describing regulation and the network service interaction of the interface of the service of network.Such as,
The various operations of network service other system adjustable of definable, and definable is in request
During various operation, expection may conform to the application-specific DLL (API) of other system.
In each embodiment, can be included relevant to network service request by use
The parameter of connection and/or the message of data are asked or call network service.Can be according to spy
Determine markup language (such as extensible markup language (XML)) format and/or agreement can be used
(such as Simple Object Access Protocol (SOAP)) encapsulates this message.In order to perform based on net
The service request of network, network service client can assemble message and the use including request
Application layer transportation protocol based on the Internet (such as surpassing word transportation protocol (HTTP)) will disappear
Breath is delivered to addressable end points (such as, the unified resource location corresponding to network service
Symbol (URL)).
In some embodiments, declarative state can be used to shift (" RESTful ") technology
Rather than the message based network service of technology implementation.Such as, HTTP method can be passed through
The parameter call that includes in (such as PUT, GET or DELETE) rather than disappear at SOAP
In breath, encapsulation is according to the network service of RESTful technology implementation.
Although the most having described in detail embodiment, but once it is fully appreciated that disclosed above,
Numerous variations and amendment may become apparent from for one of ordinary skill in the art.It is believed that
Following claims is interpreted to contain all such modifications and changes, and therefore should be in explanation
Property and treat described above in non-binding meaning.
Claims (15)
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US14/158,504 | 2014-01-17 | ||
| US14/158,504 US9548897B2 (en) | 2014-01-17 | 2014-01-17 | Network entity registry for network entity handles included in network traffic policies enforced for a provider network |
| PCT/US2015/011525 WO2015109051A1 (en) | 2014-01-17 | 2015-01-15 | An entity handle registry to support traffic policy enforcement |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105981331A true CN105981331A (en) | 2016-09-28 |
| CN105981331B CN105981331B (en) | 2020-05-15 |
Family
ID=53543421
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201580007364.5A Active CN105981331B (en) | 2014-01-17 | 2015-01-15 | Entity handling registry for supporting traffic policy enforcement |
Country Status (6)
| Country | Link |
|---|---|
| US (1) | US9548897B2 (en) |
| EP (1) | EP3095214B1 (en) |
| JP (1) | JP6314236B2 (en) |
| CN (1) | CN105981331B (en) |
| CA (1) | CA2936956C (en) |
| WO (1) | WO2015109051A1 (en) |
Families Citing this family (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2916227A1 (en) * | 2014-03-04 | 2015-09-09 | Agco Corporation | Machine error and failure mitigation |
| US20150288767A1 (en) * | 2014-04-03 | 2015-10-08 | Centurylink Intellectual Property Llc | Network Functions Virtualization Interconnection Hub |
| JP6370993B2 (en) * | 2014-08-07 | 2018-08-08 | インテル アイピー コーポレイション | Control traffic from applications when third-party servers encounter problems |
| US10225327B2 (en) | 2014-08-13 | 2019-03-05 | Centurylink Intellectual Property Llc | Remoting application servers |
| US10129100B2 (en) * | 2014-08-22 | 2018-11-13 | Vmware, Inc. | Policy management system for heterogeneous cloud services |
| US11363424B2 (en) * | 2014-11-19 | 2022-06-14 | Imprivata, Inc. | Location-based resource management |
| US10917788B2 (en) * | 2014-11-19 | 2021-02-09 | Imprivata, Inc. | Inference-based detection of proximity changes |
| US10749808B1 (en) * | 2015-06-10 | 2020-08-18 | Amazon Technologies, Inc. | Network flow management for isolated virtual networks |
| US9882833B2 (en) | 2015-09-28 | 2018-01-30 | Centurylink Intellectual Property Llc | Intent-based services orchestration |
| JP6275180B2 (en) * | 2016-03-23 | 2018-02-07 | ソフトバンク株式会社 | SETTING INFORMATION GENERATION DEVICE, NETWORK CONTROL DEVICE, METHOD, AND PROGRAM |
| US10547588B2 (en) * | 2016-04-30 | 2020-01-28 | Nicira, Inc. | Method of translating a logical switch into a set of network addresses |
| US10511484B1 (en) * | 2017-03-24 | 2019-12-17 | Amazon Technologies, Inc. | Membership self-discovery in distributed computing environments |
| US10454930B2 (en) * | 2017-07-14 | 2019-10-22 | EMC IP Holding Company LLC | System and method for local data IP based network security for preventing data breach attempts in a multi-tenant protection storage deployment |
| US10853091B2 (en) * | 2017-07-18 | 2020-12-01 | Citrix Systems, Inc. | Cloud to on-premises windows registry settings |
| US11010336B2 (en) | 2018-12-27 | 2021-05-18 | Nutanix, Inc. | System and method for provisioning databases in a hyperconverged infrastructure system |
| US11201800B2 (en) * | 2019-04-03 | 2021-12-14 | Cisco Technology, Inc. | On-path dynamic policy enforcement and endpoint-aware policy enforcement for endpoints |
| US11095534B1 (en) * | 2019-11-29 | 2021-08-17 | Amazon Technologies, Inc. | API-based endpoint discovery of resources in cloud edge locations embedded in telecommunications networks |
| US11743325B1 (en) | 2019-11-29 | 2023-08-29 | Amazon Technologies, Inc. | Centralized load balancing of resources in cloud edge locations embedded in telecommunications networks |
| US20230418639A1 (en) | 2022-06-22 | 2023-12-28 | Nutanix, Inc. | Database server agent |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060233180A1 (en) * | 2005-04-14 | 2006-10-19 | Alcatel | Systems and methods for managing network services between private networks |
| US20090138577A1 (en) * | 2007-09-26 | 2009-05-28 | Nicira Networks | Network operating system for managing and securing networks |
| US20100043066A1 (en) * | 2008-05-21 | 2010-02-18 | Miliefsky Gary S | Multiple security layers for time-based network admission control |
| US20130332982A1 (en) * | 2012-06-11 | 2013-12-12 | Cisco Technology, Inc. | System and method for identity based authentication in a distributed virtual switch network environment |
Family Cites Families (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5968176A (en) * | 1997-05-29 | 1999-10-19 | 3Com Corporation | Multilayer firewall system |
| US20020184525A1 (en) * | 2001-03-29 | 2002-12-05 | Lebin Cheng | Style sheet transformation driven firewall access list generation |
| US7277953B2 (en) | 2001-04-18 | 2007-10-02 | Emc Corporation | Integrated procedure for partitioning network data services among multiple subscribers |
| US20040022258A1 (en) * | 2002-07-30 | 2004-02-05 | Docomo Communications Laboratories Usa, Inc. | System for providing access control platform service for private networks |
| US7567510B2 (en) | 2003-02-13 | 2009-07-28 | Cisco Technology, Inc. | Security groups |
| US7418485B2 (en) * | 2003-04-24 | 2008-08-26 | Nokia Corporation | System and method for addressing networked terminals via pseudonym translation |
| US7480798B2 (en) | 2003-06-05 | 2009-01-20 | International Business Machines Corporation | System and method for representing multiple security groups as a single data object |
| US7827402B2 (en) | 2004-12-01 | 2010-11-02 | Cisco Technology, Inc. | Method and apparatus for ingress filtering using security group information |
| US8924524B2 (en) * | 2009-07-27 | 2014-12-30 | Vmware, Inc. | Automated network configuration of virtual machines in a virtual lab data environment |
| US8356346B2 (en) | 2010-01-30 | 2013-01-15 | Fatpipe, Inc. | VPN secure sessions with dynamic IP addresses |
| JP5403445B2 (en) * | 2010-03-20 | 2014-01-29 | 株式会社Pfu | Virtual machine management apparatus, virtual machine management method, and program |
| US8401006B2 (en) | 2010-08-19 | 2013-03-19 | Unwired Planet, Inc. | Method and system for enforcing traffic policies at a policy enforcement point in a wireless communications network |
| US8660129B1 (en) * | 2012-02-02 | 2014-02-25 | Cisco Technology, Inc. | Fully distributed routing over a user-configured on-demand virtual network for infrastructure-as-a-service (IaaS) on hybrid cloud networks |
-
2014
- 2014-01-17 US US14/158,504 patent/US9548897B2/en active Active
-
2015
- 2015-01-15 JP JP2016547094A patent/JP6314236B2/en active Active
- 2015-01-15 EP EP15737606.2A patent/EP3095214B1/en active Active
- 2015-01-15 CN CN201580007364.5A patent/CN105981331B/en active Active
- 2015-01-15 WO PCT/US2015/011525 patent/WO2015109051A1/en not_active Ceased
- 2015-01-15 CA CA2936956A patent/CA2936956C/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060233180A1 (en) * | 2005-04-14 | 2006-10-19 | Alcatel | Systems and methods for managing network services between private networks |
| US20090138577A1 (en) * | 2007-09-26 | 2009-05-28 | Nicira Networks | Network operating system for managing and securing networks |
| US20100043066A1 (en) * | 2008-05-21 | 2010-02-18 | Miliefsky Gary S | Multiple security layers for time-based network admission control |
| US20130332982A1 (en) * | 2012-06-11 | 2013-12-12 | Cisco Technology, Inc. | System and method for identity based authentication in a distributed virtual switch network environment |
Also Published As
| Publication number | Publication date |
|---|---|
| US9548897B2 (en) | 2017-01-17 |
| JP6314236B2 (en) | 2018-04-18 |
| CA2936956C (en) | 2019-11-05 |
| CA2936956A1 (en) | 2015-07-23 |
| EP3095214B1 (en) | 2021-11-03 |
| EP3095214A4 (en) | 2017-08-23 |
| US20150207683A1 (en) | 2015-07-23 |
| WO2015109051A1 (en) | 2015-07-23 |
| EP3095214A1 (en) | 2016-11-23 |
| JP2017507563A (en) | 2017-03-16 |
| CN105981331B (en) | 2020-05-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105981331A (en) | An entity handle registry to support traffic policy enforcement | |
| US10754513B2 (en) | Updating assets rendered in a virtual world environment based on detected user interactions in another world | |
| CN113032490B (en) | Contract data processing method, related equipment and medium | |
| CN105024865B (en) | Cloud Federation as a Service | |
| JP7093340B2 (en) | Methods and systems realized by blockchain | |
| Van Steen et al. | A brief introduction to distributed systems | |
| JP7236991B2 (en) | Methods and systems implemented by blockchain | |
| US20210042748A1 (en) | Blockchain-based secure resource management | |
| CN105393219B (en) | application market for virtual desktop | |
| CN104902019B (en) | A kind of application method, server and terminal | |
| JP2021527349A (en) | Data anonymization for service subscriber privacy | |
| CN111133428B (en) | System and method for registering subscribable state in blockchain | |
| CN109213724A (en) | Automate desktop arrangement | |
| WO2011067101A1 (en) | Dynamic access control for documents in electronic communications within a cloud computing environment | |
| CN103703443A (en) | Strong rights management for computing application functionality | |
| CN107332861A (en) | A kind of open platform architecture system based on OAuth agreements | |
| CN111213135A (en) | System and method for blockchain based notification | |
| CN111183444A (en) | System and method for registering subscribable substates in a blockchain | |
| US20070115830A1 (en) | Computer-implemented method, system, and program product for tracking a location of a user of a wireless device in a private network environment | |
| CN118550967A (en) | Asset management method, device, equipment and medium in blockchain | |
| Nakamura et al. | Design and Implementation of the TBOI (Time-Based Operation Interruption) Protocol to Prevent Late Information Flow in the IoT | |
| KR20250093976A (en) | Method for providing benefits using NFT assets and computing device performing the same and computing device performing the same method | |
| HK40029706A (en) | System and method for blockchain-based notification | |
| HK40029566A (en) | System and method for registering subscribable states in blockchain | |
| HK40029706B (en) | System and method for blockchain-based notification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |